On Fri, 14 Oct 2016, Givonne wrote:

http://thehackernews.com/2016/10/nsa-crack-encryption.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29&_m=3n.009a.1343.bx0ao08q8s.scz

## Advertising

The article is not entirely correct:
the researchers explained that the Diffie-Hellman algorithm
does not contain any backdoor itself, but it has been intentionally
weakened in an undetectable way by hiding the fact how various
applications generate prime numbers.
The paper actually states "we cannot proof common DH values have not
been backdoored". Also, these "applications" referred to should really be
"RFC standards listed DH values for protocols". So they are not
"intentially weaked", we just cannot prove they have not been
intentially weakened. Which in itself is damning, but quite a different
conclusion.
So, advanced hackers or well-resourced agencies who are aware of
the fact how prime numbers are being generated for trapdoor function and
looking to decrypt 1024-bit secured communications can unscramble the
discrete logarithm in order to decrypt hundreds of millions of
Diffie-Hellman-protected communications.
The researchers never claimed with enough CPU power to be able to
find the trapdoor. Just that with enough CPU power they could create a
trapdoor'ed set of DH values that no one known (including themselves)
could detect without the knowledge of how they were created.
The concept of backdooring primes used in the Diffie-Hellman key
exchange algorithm is almost similar to the one discovered in the Dual
Elliptic Curve Deterministic Random Bit Generator, better known as
Dual_EC_DRBG, which is also believed to have been introduced by the NSA.
Note the "also believed [..] by the NSA", which now blames the NSA for
backdooring every RFC standard. I believe the only DH values that are suspect
are the RFC-5114 ones. And people started to distrust these for these
exact reason a few years ago. The new thing now is that the researchers
proved this could have been done.
And it seems no ons is explaining the "use well known/researched primes"
versus the "accept/generate primes without these having been researched
or even proven to be prime" dilemma.
Paul
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography